google-cloud-platform gsutil google-cloud-iam google-cloud-python gcloud-python

gsutil iam ch command using python

I am trying to use python to do the same functionality as this command:

gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name

I am trying to give an objectAdmin role to a group using python. The above command works well in cloud powershell, but could not do it in python yet

I have tried to do this by replacing the "members": {member} with "groups": {group_name} in this add_bucket_iam_member function here:

def add_bucket_iam_member(bucket_name, role, member):
"""Add a new member to an IAM Policy"""
   # bucket_name = "your-bucket-name"
   # role = "IAM role, e.g., roles/storage.objectViewer"
   # member = "IAM identity, e.g., user: name@example.com"

   storage_client = storage.Client()
   bucket = storage_client.bucket(bucket_name)

   policy = bucket.get_iam_policy(requested_policy_version=3)

   #policy.bindings.append({"role": role, "members": {member}})
   policy.bindings.append({"role": role, "groups": {group_name}})

   bucket.set_iam_policy(policy)

   print("Added {} with role {} to {}.".format(member, role, bucket_name))

It doesn't give an error but did not work either, after finishing it, and after getting policy dict again, it removes the group permission that I have sat. (meanwhile, it works fine with members)

I have also tried:

os.system("gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name")

and

subprocess.run("gsutil iam ch group:group_name@gmail.com:objectAdmin gs://bucket_name", shell=True) but did not work yet too.

Any help?

Solution

OK, your policy.bindings.append is incorrect.

You want what you originally had:

role = "roles/storage.objectViewer"

group = "some@googlegroups.com"

member = f"group:{group}"

policy.bindings.append({
  "role": role,
  "members": {
    member,
  }
})

Full example:

from os import getenv
from google.cloud import storage

bucket_name = getenv("BUCKET")
group = getenv("GROUP")
role = "roles/storage.objectViewer"

member = f"group:{group}"

storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)

policy = bucket.get_iam_policy(requested_policy_version=3)


policy.bindings.append({
    "role": role, 
    "members": {
        member,
    }
})
bucket.set_iam_policy(policy)

print("Added {} with role {} to {}.".format(member, role, bucket_name))

And:

PROJECT="[[YOUR-PROJECT]]"
ACCOUNT="[[YOUR-SERVICE-ACCOUNT]]"
BUCKET="[[YOUR-BUCKET]]"
GROUP="[[YOUR-GROUP-EMAIL]]"

gcloud projects create ${PROJECT}

gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}

EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"

gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
--iam-account=${EMAIL} \
--project=${PROJECT}

gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/storage.admin

export GOOGLE_APPLICATION_CREDENTIALS=${PWD}/${ACCOUNT}.json
export GROUP
export BUCKET

python3 -m venv venv
source venv/bin/activate
python3 -m pip install google-cloud-storage
python3 main.py

Yields:

Added group:${GROUP} with role roles/storage.objectViewer to ${BUCKET}.

And:

FILTER=".bindings[]|select(.members|index(\"group:${GROUP}\")).role"

gsutil iam get gs://${BUCKET} \
| jq -r "${FILTER}"

Yields:

roles/storage.objectViewer